Reverse proxy (nginx) setup question

Install/Maintain/Configure
1

Hi all,

I recently set up a gitea server that I want to access from anywhere.
My setup is currently behind a revers proxy using swag, using the config template here.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name gitea.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app gitea;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/gitea)?/info/lfs {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app gitea;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

I changed the SSH_DOMAIN, ROOT_URL and DOMAIN to my own subdomain and am capable of reaching the webgui.

However, when cloning a repository in git, it throws an error message saying “This site can’t provide a secure connection … ERR_SSL_PROTOCOL_ERROR” error.

my current config.ini:

APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea

[repository]
ROOT = /repo-code

[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

[repository.upload]
TEMP_PATH = /data/gitea/uploads

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = domain.com
SSH_DOMAIN = domain.com
HTTP_PORT = 80
ROOT_URL = https://domain.com/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = 
OFFLINE_MODE = false

[database]
PATH = /data/gitea/gitea.db
DB_TYPE = postgres
HOST = ip:port
NAME = 
USER = 
PASSWD = 
LOG_SQL = false
SCHEMA =
SSL_MODE = disable

[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve

[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file

[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars

[attachment]
PATH = /data/gitea/attachments

[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log

[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = 
PASSWORD_HASH_ALGO = pbkdf2

[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost

[lfs]
PATH = /repo-lfs

[mailer]
ENABLED = false

[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false

[cron.update_checker]
ENABLED = false

[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

[repository.signing]
DEFAULT_TRUST_MODEL = committer

[oauth2]
JWT_SECRET =

Is there anything I have missed? I assume forwarding the ssh port is not required? (I did try disabling ssh alltogether but no luck).

Anyone who can help me out?
Thx in advance.

2

Gitea currently doesn’t support http2. Maybe you can try to remove http2.

3

Hi, thx for the respons,

Tried that, no luck :confused:
I also tried copying the same config as in the reverse proxy guide on the gitea docs (had to remove the host header line for it to work), but also no luck.

4

Can you visit Gitea directly?

5

as in the webgui?

Yes, everything works, except when I do a git clone. Then it would go to the webgui perfectly for login and 2fa, after which it throws the error.

6

maybe important info. I currently don’t have port 22 forwarded to my gitea.
I am not sure if ssh port forwarding is required?

7

Hi, I figured it out. Swag includes some configuration files in their proxy templates where certain extra headers are set, removing those includes fixed the problem, thx for the help

1 Like